diff options
author | Emil Renner Berthing <esmil@labitat.dk> | 2018-09-26 13:16:11 +0200 |
---|---|---|
committer | Emil Renner Berthing <esmil@labitat.dk> | 2018-11-10 22:30:23 +0100 |
commit | 9454fdbff511e965e4fd9eb187b7fe432dcd437e (patch) | |
tree | 616a430b46a4796dfbcbc53662a1f70af59720b5 /roles/space_server/files/nftables | |
parent | f203f1ccf538955dbd81e9a81b4cb9da520a9afa (diff) | |
download | labitat-ansible-9454fdbff511e965e4fd9eb187b7fe432dcd437e.tar.gz labitat-ansible-9454fdbff511e965e4fd9eb187b7fe432dcd437e.tar.xz labitat-ansible-9454fdbff511e965e4fd9eb187b7fe432dcd437e.zip |
space_server: drop uneccessary subdirs
Diffstat (limited to 'roles/space_server/files/nftables')
-rw-r--r-- | roles/space_server/files/nftables/nftables.conf | 212 | ||||
-rw-r--r-- | roles/space_server/files/nftables/nftables.service | 30 |
2 files changed, 0 insertions, 242 deletions
diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf deleted file mode 100644 index 5f2f1b3..0000000 --- a/roles/space_server/files/nftables/nftables.conf +++ /dev/null @@ -1,212 +0,0 @@ -# our hosts -define ap1 = 10.42.0.5 -define ap2 = 10.42.0.6 -define labitat = 185.38.172.72 - -define spacewand4 = 185.38.175.70 -define spacewand6 = 2a01:4262:1ab::cafe - -define spacebrain4 = 185.38.175.69 -define spacebrain6 = 2a01:4262:1ab::db - -define labservers4 = { $spacewand4, $spacebrain4 } -define labservers6 = { $spacewand6, $spacebrain6 } - -# internal stuff -define ext_if = wan -define ext_ip4 = 185.38.175.0 -define ext_ip6 = 2a01:4262:1ab:: -define int_net4 = 10.42.0.0/16 -define ext_net4 = 185.38.175.0/24 -define ext_net6 = 2a01:4262:1ab::/48 -define link_net4 = 193.106.167.40/29 -define link_net6 = 2a03:5440:1:2935:1ab::/120 - -define adm_if = lan10 -define adm_ip4 = 10.42.0.1 -define adm_net4 = 10.42.0.0/24 - -define wire_if = lan11 -define wire_ip4 = 10.42.1.1 -define wire_net4 = 10.42.1.0/24 -define wire_net6 = 2a01:4262:1ab:b::/64 - -define priv_if = lan12 -define priv_ip4 = 10.42.2.1 -define priv_net4 = 10.42.2.0/24 -define priv_net6 = 2a01:4262:1ab:c::/64 - -define free_if = lan13 -define free_ip4 = 10.42.3.1 -define free_net4 = 10.42.3.0/24 -define free_net6 = 2a01:4262:1ab:d::/64 - -define pass_if = lan14 -define pass_ip4 = 10.42.4.1 -define pass_net4 = 10.42.4.0/24 -define pass_net6 = 2a01:4262:1ab:e::/64 - -define serv_if = lan20 -define serv_ip4 = 185.38.175.65 -define serv_net4 = 185.38.175.64/24 -define serv_net6 = 2a01:4262:1ab:20::/64 - -define avahi_ifs = { $wire_if, $priv_if, $pass_if } - -#define nat64_if = nat64 -#define nat64_net = 10.42.255.0/24 -#define nat64_net6 = fde2:52b4:4a19:ffff::/96 - -table ip filter { - chain input { - type filter hook input priority 0; - - ct state established,related accept - ct state invalid drop - - # no ping floods - ip protocol icmp limit rate 100/second accept - ip protocol icmp drop - - iif lo accept - - # bird etc. on fiberby link - iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept - - # dhcp - udp sport bootpc udp dport bootps iif != $ext_if counter accept - - # radius - iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept - - # tftp - iif $wire_if ip saddr $wire_net4 udp dport 69 accept - - # ssh - tcp dport 22 accept - - # dns - tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept - udp dport 53 ip saddr { $int_net4, $ext_net4 } accept - - # avahi - ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept - ip protocol igmp iif $avahi_ifs accept - - ## debugging - #iif $ext_if counter drop - #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream - #udp sport 17500 udp dport 17500 drop # Dropbox LANsync - #ip protocol igmp drop # IGMP - #counter log prefix "in4: " drop - drop - } - - chain forward { - type filter hook forward priority 0; - - ct state established,related accept - ct state invalid drop - - # accept all traffic to Labitat servers - ip daddr $labservers4 accept - - ip saddr $labitat udp dport 161 counter accept # traffic stats - - # no traffic to admin net - ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited - ip daddr $adm_net4 drop - - # local traffic - iif $adm_if ip saddr $adm_net4 accept - iif $wire_if ip saddr $wire_net4 accept - iif $priv_if ip saddr $priv_net4 accept - iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept - iif $pass_if ip saddr $pass_net4 accept - iif $serv_if ip saddr $serv_net4 accept - - ## debugging - #iif $ext_if counter drop - #counter log prefix "fw4: " drop - drop - } -} - -table ip6 filter { - chain input { - type filter hook input priority 0; - - ct state established,related accept - ct state invalid drop - - # no ping floods - ip6 nexthdr ipv6-icmp limit rate 100/second accept - ip6 nexthdr ipv6-icmp drop - - iif lo accept - iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept - - # bird etc. on fiberby link - iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept - - # ssh - tcp dport 22 accept - - # dns - tcp dport 53 ip6 saddr $ext_net6 accept - udp dport 53 ip6 saddr $ext_net6 accept - - # avahi - ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept - - ## debugging - #counter log prefix "in6: " drop - drop - } - - chain forward { - type filter hook forward priority 0; - - ct state established,related accept - ct state invalid drop - - # accept all traffic to Labitat servers - ip6 daddr $labservers6 accept - - iif $wire_if ip6 saddr $wire_net6 accept - iif $priv_if ip6 saddr $priv_net6 accept - iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept - iif $pass_if ip6 saddr $pass_net6 accept - iif $serv_if ip6 saddr $serv_net6 accept - - ## debugging - #counter log prefix "fw6: " drop - drop - } -} - -table ip nat { - chain portforward { - ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats - } - - chain prerouting { - type nat hook prerouting priority -150; - goto portforward - } - - chain output { - type nat hook output priority -150; - goto portforward - } - - chain input { - type nat hook input priority -150; - # this chain is needed to make dnat from the output chain work - } - - chain postrouting { - type nat hook postrouting priority -150; - oif $ext_if ip saddr $int_net4 snat $ext_ip4 - } -} diff --git a/roles/space_server/files/nftables/nftables.service b/roles/space_server/files/nftables/nftables.service deleted file mode 100644 index f1c9028..0000000 --- a/roles/space_server/files/nftables/nftables.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Netfilter Tables -Documentation=man:nft(8) -Requires=sys-devices-virtual-net-lan10.device -Requires=sys-devices-virtual-net-lan11.device -Requires=sys-devices-virtual-net-lan12.device -Requires=sys-devices-virtual-net-lan13.device -Requires=sys-devices-virtual-net-lan14.device -Requires=sys-devices-virtual-net-lan15.device -Requires=sys-devices-virtual-net-lan20.device -After=sys-devices-virtual-net-lan10.device -After=sys-devices-virtual-net-lan11.device -After=sys-devices-virtual-net-lan12.device -After=sys-devices-virtual-net-lan13.device -After=sys-devices-virtual-net-lan14.device -After=sys-devices-virtual-net-lan15.device -After=sys-devices-virtual-net-lan20.device -Before=network-online.target - -[Service] -Type=oneshot -ProtectSystem=full -ProtectHome=true -ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf -ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' -ExecStop=/sbin/nft flush ruleset -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target |